From 8156ab48215768a1d8559ddd54c86aaabe2e2d89 Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 15 Nov 2019 12:24:29 +0000 Subject: [PATCH] Add option to forgo autogenerated SSL config --- defaults/main.yml | 1 + docs/ssl-tls-setup.md | 3 +++ templates/elasticsearch.yml.j2 | 8 ++------ 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 601c691..32e0b73 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -49,6 +49,7 @@ es_debian_startup_timeout: 10 es_jvm_custom_parameters: '' # SSL/TLS parameters +es_enable_auto_ssl_configuration: true es_enable_http_ssl: false es_enable_transport_ssl: false es_ssl_keystore: "" diff --git a/docs/ssl-tls-setup.md b/docs/ssl-tls-setup.md index 3e24a0c..a887e65 100644 --- a/docs/ssl-tls-setup.md +++ b/docs/ssl-tls-setup.md @@ -2,6 +2,8 @@ The role allows configuring HTTP and transport layer SSL/TLS for the cluster. You will need to generate and provide your own PKCS12 or PEM encoded certificates as described in [Encrypting communications in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/configuring-tls.html#configuring-tls). +If you don't want this role to add autogenerated SSL configuration to elasticsearch.yml set `es_enable_auto_ssl_configuration` to `false` (default: `true`). + The following should be configured to ensure a security-enabled cluster successfully forms: * `es_enable_http_ssl` Default `false`. Setting this to `true` will enable HTTP client SSL/TLS @@ -38,6 +40,7 @@ $ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --out ./my-keystore.p12 --pas ## Additional optional SSL/TLS configuration +* `es_enable_auto_ssl_configuration` Default `true`. Whether this role should add automatically generated SSL config to elasticsearch.yml. * `es_ssl_certificate_path` Default `{{ es_conf_dir }}/certs`. The location where certificates should be stored on the ES node. * `es_ssl_verification_mode` Default `certificate`. See [SSL verification_mode](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ssl-tls-settings) for options. * `es_ssl_certificate_authority` PEM encoded certificate file that should be trusted. diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index f29cfc8..6adaa0d 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -34,7 +34,7 @@ action.auto_create_index: {{ es_action_auto_create_index }} {% if es_enable_xpack and es_api_basic_auth_username is defined and es_api_basic_auth_password is defined %} xpack.security.enabled: true -{% if es_enable_transport_ssl | bool %} +{% if es_enable_transport_ssl and es_enable_auto_ssl_configuration %} xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: "{{ es_ssl_verification_mode }}" {% if es_ssl_keystore and es_ssl_truststore %} @@ -47,11 +47,9 @@ xpack.security.transport.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_s xpack.security.transport.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" {% endif %} {% endif %} -{% else %} -# xpack.security.transport.ssl.enabled: false {% endif %} -{% if es_enable_http_ssl | bool %} +{% if es_enable_http_ssl and es_enable_auto_ssl_configuration %} xpack.security.http.ssl.enabled: true {% if es_ssl_keystore and es_ssl_truststore %} xpack.security.http.ssl.keystore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" @@ -63,8 +61,6 @@ xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_ce xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" {% endif %} {% endif %} -{% else %} -# xpack.security.http.ssl.enabled: false {% endif %} {% endif %}